My sharp co-panelists hailed from DHS, the Utilities Telecom Council (UTC), MIT, the University of Vermont and MITRE, and we were masterfully moderated by Emily Frye, also of MITRE.
Anyway, all I want to say here is that we got a great question from an audience member (and it was a very interactive audience!) that we were hard pressed to answer. It went basically like this:
If each utility was somehow given an infusion of $1 million (Dr. Evil's preferred amount) what would be the best, most security impacting way for them to spend it?
Several of us gave it a shot, and of course I went to metrics, saying the lack of widely agreed-upon security metrics means many if not most utilities would lack the information required to help them answer this question. In retrospect, even though there wasn't any overt booing, that wasn't very helpful.
More helpful by far, though too late for the conference goers, came an answer the next day from my friend, colleague, and previous SGSB co-blogger Jack Danahy. Jack said he would recommend every utility (and companies in all sectors for that matter) to use the money to perform an inventory. Figure out and document, some for the first time, exactly what they have in terms of networks, systems, devices, apps and data.
As someone like Yogi Berra, Mark Twain or Will Rogers once said, "You can't secure what you don't know you have." Clearly, you can't manage risk or even begin to prioritize your actions until you have established a baseline of what needs protecting.
Wish I had thought of that at the right time. Anyway, there's the answer for you. And you can see Jack in his role of IBM's Director of Advanced Security, interviewed by Bloomberg TV, HERE.
And of course the answer to the question in question, the title of the panel session and this post, is yes and no, for all the reasons we've previously explored at length, if not ad nauseum, on this blog.